New Crossplane governance policies and Official Providers: Upbound is strengthening the Crossplane community ecosystem and making updates to the Official Provider policy
YAML kind: Composition
apiVersion: apiextensions.crossplane.io/v1
metadata:
name: aws-postgresql
creationTimestamp: null
labels:
db: postgresql
provider: aws
spec:
compositeTypeRef:
apiVersion: devopstoolkitseries.com/v1alpha1
kind: SQL
mode: Pipeline
pipeline:
- step: patch-and-transform
functionRef:
name: crossplane-contrib-function-patch-and-transform
input:
apiVersion: pt.fn.crossplane.io/v1beta1
kind: Resources
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.annotations
toFieldPath: metadata.annotations
- fromFieldPath: spec.id
toFieldPath: metadata.name
resources:
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: VPC
spec:
forProvider:
cidrBlock: 11.0.0.0/16
enableDnsHostnames: true
enableDnsSupport: true
region: us-east-1
name: vpc
patches:
- patchSetName: metadata
type: PatchSet
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: Subnet
metadata:
labels:
zone: us-east-1a
spec:
forProvider:
availabilityZone: us-east-1a
cidrBlock: 11.0.0.0/24
region: us-east-1
vpcIdSelector:
matchControllerRef: true
name: subnet-a
patches:
- fromFieldPath: metadata.annotations
toFieldPath: metadata.annotations
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-a"
type: Format
type: string
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: Subnet
metadata:
labels:
zone: us-east-1b
spec:
forProvider:
availabilityZone: us-east-1b
cidrBlock: 11.0.1.0/24
region: us-east-1
vpcIdSelector:
matchControllerRef: true
name: subnet-b
patches:
- fromFieldPath: metadata.annotations
toFieldPath: metadata.annotations
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-b"
type: Format
type: string
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: Subnet
metadata:
labels:
zone: us-east-1c
spec:
forProvider:
availabilityZone: us-east-1c
cidrBlock: 11.0.2.0/24
region: us-east-1
vpcIdSelector:
matchControllerRef: true
name: subnet-c
patches:
- fromFieldPath: metadata.annotations
toFieldPath: metadata.annotations
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-c"
type: Format
type: string
- base:
apiVersion: rds.aws.upbound.io/v1beta1
kind: SubnetGroup
spec:
forProvider:
description: I'm too lazy to write a good description
region: us-east-1
subnetIdSelector:
matchControllerRef: true
name: subnetgroup
patches:
- patchSetName: metadata
type: PatchSet
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: InternetGateway
spec:
forProvider:
region: us-east-1
vpcIdSelector:
matchControllerRef: true
name: gateway
patches:
- patchSetName: metadata
type: PatchSet
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: RouteTable
spec:
forProvider:
region: us-east-1
vpcIdSelector:
matchControllerRef: true
name: routeTable
patches:
- patchSetName: metadata
type: PatchSet
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: Route
spec:
forProvider:
destinationCidrBlock: 0.0.0.0/0
gatewayIdSelector:
matchControllerRef: true
region: us-east-1
routeTableIdSelector:
matchControllerRef: true
name: route
patches:
- patchSetName: metadata
type: PatchSet
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: MainRouteTableAssociation
spec:
forProvider:
region: us-east-1
routeTableIdSelector:
matchControllerRef: true
vpcIdSelector:
matchControllerRef: true
name: mainRouteTableAssociation
patches:
- patchSetName: metadata
type: PatchSet
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: RouteTableAssociation
spec:
forProvider:
region: us-east-1
routeTableIdSelector:
matchControllerRef: true
subnetIdSelector:
matchControllerRef: true
matchLabels:
zone: us-east-1a
name: routeTableAssociation1a
patches:
- fromFieldPath: metadata.annotations
toFieldPath: metadata.annotations
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-1a"
type: Format
type: string
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: RouteTableAssociation
spec:
forProvider:
region: us-east-1
routeTableIdSelector:
matchControllerRef: true
subnetIdSelector:
matchControllerRef: true
matchLabels:
zone: us-east-1b
name: routeTableAssociation1b
patches:
- fromFieldPath: metadata.annotations
toFieldPath: metadata.annotations
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-1b"
type: Format
type: string
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: RouteTableAssociation
spec:
forProvider:
region: us-east-1
routeTableIdSelector:
matchControllerRef: true
subnetIdSelector:
matchControllerRef: true
matchLabels:
zone: us-east-1c
name: routeTableAssociation1c
patches:
- fromFieldPath: metadata.annotations
toFieldPath: metadata.annotations
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-1c"
type: Format
type: string
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: SecurityGroup
spec:
forProvider:
description: I am too lazy to write descriptions
region: us-east-1
vpcIdSelector:
matchControllerRef: true
name: securityGroup
patches:
- patchSetName: metadata
type: PatchSet
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: SecurityGroupRule
spec:
forProvider:
cidrBlocks:
- 0.0.0.0/0
description: I am too lazy to write descriptions
fromPort: 5432
protocol: tcp
region: us-east-1
securityGroupIdSelector:
matchControllerRef: true
toPort: 5432
type: ingress
name: securityGroupRule
patches:
- patchSetName: metadata
type: PatchSet
- base:
apiVersion: rds.aws.upbound.io/v1beta1
kind: Instance
spec:
forProvider:
allocatedStorage: 200
dbSubnetGroupNameSelector:
matchControllerRef: true
engine: postgres
passwordSecretRef:
key: password
publiclyAccessible: true
region: us-east-1
skipFinalSnapshot: true
username: masteruser
vpcSecurityGroupIdSelector:
matchControllerRef: true
name: rdsinstance
patches:
- patchSetName: metadata
type: PatchSet
- fromFieldPath: spec.parameters.size
toFieldPath: spec.forProvider.instanceClass
transforms:
- map:
large: db.m5.8xlarge
medium: db.m5.2xlarge
small: db.m5.large
type: map
- fromFieldPath: spec.parameters.version
toFieldPath: spec.forProvider.engineVersion
- fromFieldPath: spec.id
toFieldPath: spec.forProvider.passwordSecretRef.name
transforms:
- string:
fmt: "%s-password"
type: Format
type: string
- fromFieldPath: spec.claimRef.namespace
toFieldPath: spec.forProvider.passwordSecretRef.namespace
- base:
apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
name: default
spec:
credentials:
source: PostgreSQLConnectionSecret
sslMode: require
name: sql-config
patches:
- patchSetName: metadata
type: PatchSet
- fromFieldPath: spec.id
toFieldPath: spec.credentials.connectionSecretRef.name
- fromFieldPath: spec.claimRef.namespace
toFieldPath: spec.credentials.connectionSecretRef.namespace
readinessChecks:
- type: None
- base:
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: ProviderConfig
spec:
credentials:
source: InjectedIdentity
name: kubernetes
patches:
- fromFieldPath: metadata.annotations
toFieldPath: metadata.annotations
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-sql"
type: Format
type: string
readinessChecks:
- type: None
- base:
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
spec:
forProvider:
manifest:
apiVersion: v1
data:
port: NTQzMg==
kind: Secret
metadata:
namespace: crossplane-system
references:
- patchesFrom:
apiVersion: rds.aws.upbound.io/v1beta1
fieldPath: spec.forProvider.username
kind: Instance
namespace: crossplane-system
toFieldPath: stringData.username
- patchesFrom:
apiVersion: v1
fieldPath: data.password
kind: Secret
namespace: crossplane-system
toFieldPath: data.password
- patchesFrom:
apiVersion: rds.aws.upbound.io/v1beta1
fieldPath: status.atProvider.address
kind: Instance
namespace: crossplane-system
toFieldPath: stringData.endpoint
name: sql-secret
patches:
- fromFieldPath: metadata.annotations
toFieldPath: metadata.annotations
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-secret"
type: Format
type: string
- fromFieldPath: spec.id
toFieldPath: spec.references[0].patchesFrom.name
- fromFieldPath: spec.id
toFieldPath: spec.references[1].patchesFrom.name
transforms:
- string:
fmt: "%s-password"
type: Format
type: string
- fromFieldPath: spec.claimRef.namespace
toFieldPath: spec.references[1].patchesFrom.namespace
- fromFieldPath: spec.id
toFieldPath: spec.references[2].patchesFrom.name
- fromFieldPath: spec.id
toFieldPath: spec.forProvider.manifest.metadata.name
- fromFieldPath: spec.id
toFieldPath: spec.providerConfigRef.name
transforms:
- string:
fmt: "%s-sql"
type: Format
type: string
- fromFieldPath: spec.claimRef.namespace
toFieldPath: spec.forProvider.manifest.metadata.namespace
- step: sql-db
functionRef:
name: crossplane-contrib-function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
inline:
template: >
{{ range .observed.composite.resource.spec.parameters.databases }}
---
apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: Database
metadata:
name: {{ $.observed.composite.resource.spec.id }}-{{ . }}
annotations:
crossplane.io/external-name: {{ . }}
gotemplating.fn.crossplane.io/composition-resource-name: {{ $.observed.composite.resource.spec.id }}-{{ . }}
spec:
providerConfigRef:
name: {{ $.observed.composite.resource.spec.id }}
forProvider: {}
{{ end }}
kind: GoTemplate
source: Inline
- step: schema
functionRef:
name: crossplane-contrib-function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
inline:
template: >
{{ range .observed.composite.resource.spec.parameters.schemas }}
---
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: {{ $.observed.composite.resource.spec.id }}-schema-{{ .database }}
annotations:
gotemplating.fn.crossplane.io/composition-resource-name: {{ $.observed.composite.resource.spec.id }}-schema-{{ .database }}
spec:
providerConfigRef:
name: {{ $.observed.composite.resource.spec.id }}-sql
forProvider:
manifest:
apiVersion: db.atlasgo.io/v1alpha1
kind: AtlasSchema
metadata:
name: {{ $.observed.composite.resource.spec.id }}-{{ .database }}
namespace: {{ $.observed.composite.resource.spec.claimRef.namespace }}
toFieldPath: spec.credentials.connectionSecretRef.namespace
spec:
credentials:
scheme: postgres
hostFrom:
secretKeyRef:
key: endpoint
name: {{ $.observed.composite.resource.spec.id }}
port: 5432
userFrom:
secretKeyRef:
key: username
name: {{ $.observed.composite.resource.spec.id }}
passwordFrom:
secretKeyRef:
key: password
name: {{ $.observed.composite.resource.spec.id }}
database: {{ .database }}
parameters:
sslmode: disable
schema:
sql: "{{ .sql }}"
{{ end }}
kind: GoTemplate
source: Inline
- step: secret-pull
functionRef:
name: crossplane-contrib-function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
inline:
template: >
{{ if and
.observed.composite.resource.spec.parameters.secrets.storeName
.observed.composite.resource.spec.parameters.secrets.pullRootPasswordKey
}}
---
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: {{ $.observed.composite.resource.spec.id }}-secret-pull
annotations:
gotemplating.fn.crossplane.io/composition-resource-name: {{ $.observed.composite.resource.spec.id }}-secret-pull
spec:
providerConfigRef:
name: {{ $.observed.composite.resource.spec.id }}-sql
forProvider:
manifest:
metadata:
name: {{ $.observed.composite.resource.spec.id }}-password
namespace: {{ $.observed.composite.resource.spec.claimRef.namespace }}
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
spec:
dataFrom:
- extract:
conversionStrategy: Default
decodingStrategy: None
key: {{ $.observed.composite.resource.spec.parameters.secrets.pullRootPasswordKey }}
metadataPolicy: None
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: {{ $.observed.composite.resource.spec.parameters.secrets.storeName }}
target:
creationPolicy: Owner
deletionPolicy: Retain
name: {{ $.observed.composite.resource.spec.id }}-password
{{ end }}
kind: GoTemplate
source: Inline
- step: secret-push-store
functionRef:
name: crossplane-contrib-function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
delims:
left: "[["
right: "]]"
inline:
template: >
[[ if and
.observed.composite.resource.spec.parameters.secrets.storeName
.observed.composite.resource.spec.parameters.secrets.pushToStore ]]
---
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: [[ $.observed.composite.resource.spec.id ]]-secret-push-store
annotations:
gotemplating.fn.crossplane.io/composition-resource-name: [[ $.observed.composite.resource.spec.id ]]-secret-push-store
spec:
providerConfigRef:
name: [[ $.observed.composite.resource.spec.id ]]-sql
forProvider:
manifest:
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
name: [[ $.observed.composite.resource.spec.id ]]
namespace: [[ $.observed.composite.resource.spec.claimRef.namespace ]]
spec:
deletionPolicy: Delete
refreshInterval: 1h
secretStoreRefs:
- name: [[ $.observed.composite.resource.spec.parameters.secrets.storeName ]]
kind: ClusterSecretStore
selector:
secret:
name: [[ $.observed.composite.resource.spec.id ]]
template:
data:
endpoint: |
{
"endpoint": "{{ .endpoint }}",
"port": "{{ .port }}",
"username": "{{ .username }}",
"password": "{{ .password }}"[[ range .observed.composite.resource.spec.parameters.databases ]],
"conn-[[ . ]]": "host={{ .endpoint }} user={{ .username }} password={{ .password }} port={{ .port }} connect_timeout=10 database=[[ . ]]"[[ end ]]
}
data:
- match:
secretKey: endpoint
remoteRef:
remoteKey: [[ $.observed.composite.resource.spec.id ]]
[[ end ]]
kind: GoTemplate
source: Inline
- step: secret-pull-cluster
functionRef:
name: crossplane-contrib-function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
inline:
template: >
{{ if and
.observed.composite.resource.spec.parameters.secrets.storeName
.observed.composite.resource.spec.parameters.secrets.pullToCluster
}}
---
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: {{ $.observed.composite.resource.spec.id }}-secret-pull-cluster
annotations:
gotemplating.fn.crossplane.io/composition-resource-name: {{ $.observed.composite.resource.spec.id }}-secret-pull-cluster
spec:
providerConfigRef:
name: {{ $.observed.composite.resource.spec.parameters.secrets.pullToCluster }}
forProvider:
manifest:
metadata:
name: {{ $.observed.composite.resource.spec.id }}
namespace: {{ $.observed.composite.resource.spec.parameters.secrets.pullToClusterNamespace }}
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
spec:
dataFrom:
- extract:
conversionStrategy: Default
decodingStrategy: None
key: {{ $.observed.composite.resource.spec.id }}
metadataPolicy: None
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: {{ $.observed.composite.resource.spec.parameters.secrets.storeName }}
target:
creationPolicy: Owner
deletionPolicy: Retain
name: {{ $.observed.composite.resource.spec.id }}
{{ end }}
kind: GoTemplate
source: Inline
- step: dapr-components
functionRef:
name: crossplane-contrib-function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
inline:
template: >
{{ if and
.observed.composite.resource.spec.parameters.secrets.daprComponents
.observed.composite.resource.spec.parameters.secrets.pullToCluster
}}
{{ range .observed.composite.resource.spec.parameters.databases }}
---
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: {{ $.observed.composite.resource.spec.id }}-dapr-component-{{ . }}
annotations:
gotemplating.fn.crossplane.io/composition-resource-name: {{ $.observed.composite.resource.spec.id }}-dapr-component-{{ . }}
spec:
providerConfigRef:
name: {{ $.observed.composite.resource.spec.parameters.secrets.pullToCluster }}
forProvider:
manifest:
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: {{ $.observed.composite.resource.spec.id }}-{{ . }}
namespace: {{ $.observed.composite.resource.spec.parameters.secrets.pullToClusterNamespace }}
spec:
type: state.postgresql
version: v1
metadata:
- name: connectionString
secretKeyRef:
name: {{ $.observed.composite.resource.spec.id }}
key: conn-{{ . }}
{{ end }}
{{ end }}
kind: GoTemplate
source: Inline
- step: automatically-detect-ready-composed-resources
functionRef:
name: crossplane-contrib-function-auto-ready